Review for Gmail S/MIME by sunbeam60
Rated 3 out of 5 stars
Once installed, two additional buttons are added to gmail's interface. The icons themselves are clear, but the tooltip that appears is inverted and state what is currently selected, not what will happen if you click the toolbar button.
Clicking sign or encrypt (or indeed both) intercepts the "Send" button click and sends the email (now encrypted and/or signed) through gmail's SMTP interface. While this happens a message is displayed and the interface locks - if you're used to Gmail's snappy operation, this delay can seem long.
If you do not have a copy of the recipient's certificate, you are helpfully alerted that encryption is impossible. The addition of LDAP lookups would be welcome here, although obviously the extension has to crawl before it can walk.
Encrypted and signed reception is handled too. Decryption happens automatically, but signature validation (i.e. following the certificate's path up to the certification authority server such as Verisign or Thawte's root server) is invalid and, in theory, the certificate could be revoked without you knowing. The signature is parsed, however, so you can at least see the CN (Common Name) field of the signature.
S/MIME is rocket science for most users, so it's fantastic this plugin has been made. But while the addition of S/MIME functionality is great, actually being able to sign or encrypt your email requires you to get a X.509 certificate. Only Thawte provides a free, immediate option, and their UI and process is draconian and bordering impossible for the average user. Until the process of obtaining, installing and backing up your certificate is made easier, it doesn't really matter what improvements are made on this plugins.
Finally, while this extension is a good step towards S/MIME for the masses, it will always play catchup to Google's UI changes. It would be much more helpful if Google themselves offered an official Gears extension (thus working in IE, Firefox, Chrome etc.). This way, you would benefit from Google's security prowess and for the first time secure, non-repudiated email would be available for everyone.
To create your own collections, you must have a Mozilla Add-ons account.